Understanding Linux Namespaces: Enhancing Process Isolation and Resource Management

Linux namespaces are a key feature of containerization in Linux. They provide process isolation, making it seem as if a process has its instance of global system resources. There are eight main types of Linux namespaces, each isolating a specific aspect of system resources.

1. Mount (mnt)

• Isolates: Mount points (filesystems)
• Purpose: Processes can have their own view of the filesystem hierarchy.
• Example:

2. Process ID (pid)

• Isolates: Process ID numbers
• Purpose: Each namespace can have its own PID 1 (init), giving the illusion of a separate system.
• Example:

3. Network (net)

• Isolates: Network interfaces, IP addresses, routing tables, etc.
• Purpose: Each namespace can have its own network stack.
• Example:

4. Interprocess Communication (ipc)

• Isolates: System V IPC and POSIX message queues.
• Purpose: Prevents IPC interference between processes in different namespaces.
• Example:

5. UTS (UNIX Timesharing System)

• Isolates: Hostname and domain name
• Purpose: Containers or processes can have different hostnames.
• Example:

6. User (user)

• Isolates: User and group IDs
• Purpose: Maps user IDs inside the namespace to different IDs outside (root in container ≠ root on host).
• Example:

7. Cgroup (cgroup)

• Isolates: Cgroup root directory
• Purpose: Allows each namespace to manage its own control groups for resource limits.
• Example:

8. Time (time) (added in Linux 5.6)

• Isolates: System and monotonic clocks
• Purpose: Allows a namespace to have its own system time.
• Example:

Namespace Isolates Example CLI

mnt Filesystems unshare --mount /bin/bash

pid Process IDs unshare --pid --fork /bin/bash

net Network stack ip netns add myns

ipc IPC mechanisms unshare --ipc /bin/bash

uts Hostname/domain unshare --uts /bin/bash

user UID/GID mappings unshare --user --map-root-user bash

cgroup Control groups unshare --cgroup bash

time System clocks unshare --time /bin/bash